Path Traversal, also known as Directory Climbing and Directory Traversal, involves the exploitation of sensitive information stored insecurely on web servers. This vulnerability is constantly showing up in globally-recognized vulnerability references such as the SANS 25 Top 25 Most Dangerous Software Errors and OWASP Top-10.
There are two primary security mechanisms available today in web servers:
Access Control Lists (ACLs) – These are basically whitelists that the web server’s administrator uses to monitor access permissions. These lists are used in the authorization process. Only users with permissions can access, modify or share sensitive files and information.
Root Directory – This directory is located in the server file system and users simply can’t access sensitive files above this root. One such example is the sensitive cmd.exe file on Windows platforms, which rests in the root directory that not everyone can access.
Path Traversals are made possible when access to web content is not properly controlled and the web server is compromised. This is basically an HTTP exploit that gives malicious attackers unauthorized access to restricted directories. They are eventually able to manipulate the web server and execute malicious commands outside its root directory/folder.
These attacks are usually executed with the help of injections such as Resource Injections, typically executed with the help of crawlers. The attack usually involves the following steps:
The following URLs show how the application deals with the resources in use:
In these examples it may be possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.
http://some_site.com.br/get-files?file=../../../../some dir/some file
http://some_site.com.br/../../../../some dir/some file
The following URLs show examples of UNIX/Linux password file exploitation.
Important: In a windows system the malicious attacker can navigate only in a partition that locates web root while in the Linux he can navigate/access the whole disk.
Ways of mitigating the risk of Path Traversal include:
CxSAST detects data flows that are vulnerable to Path Traversal by following all user input that is used in a file creation or file reading context. If the input is not validated or sanitized (this being “..\” or “../”) before being used, CxSAST determines this path as vulnerable to Path Traversal. The developers can then implement the aforementioned remediation techniques.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.